building an organizational application securityapplication ......trained in securitytrained in...
TRANSCRIPT
![Page 1: Building an Organizational Application SecurityApplication ......trained in securitytrained in security – PCI being the most specific 6. Who andWho and What? Who and What? • Who](https://reader034.vdocument.in/reader034/viewer/2022042912/5f47f919be87ee4a194ae7c6/html5/thumbnails/1.jpg)
Building an Organizational Application SecurityApplication Security Competency
Dan CornellDenim Group4/24/09 | Session ID: PROF-401|
![Page 2: Building an Organizational Application SecurityApplication ......trained in securitytrained in security – PCI being the most specific 6. Who andWho and What? Who and What? • Who](https://reader034.vdocument.in/reader034/viewer/2022042912/5f47f919be87ee4a194ae7c6/html5/thumbnails/2.jpg)
Worst Class Kickoff … Ever
• Scenario: ½ day application security awareness class for all developers and architectsclass for all developers and architects
• Trainer: “What do you hope to get out of this class?”
• Student: “I’m only here because my boss made me come.”
• Trainer: “Amazing - me too!”
1
![Page 3: Building an Organizational Application SecurityApplication ......trained in securitytrained in security – PCI being the most specific 6. Who andWho and What? Who and What? • Who](https://reader034.vdocument.in/reader034/viewer/2022042912/5f47f919be87ee4a194ae7c6/html5/thumbnails/3.jpg)
Agenda
Imperative for Internal Security Competency
Who and What?Who and What?
T i i O tiTraining Options
Putting It Together
2
![Page 4: Building an Organizational Application SecurityApplication ......trained in securitytrained in security – PCI being the most specific 6. Who andWho and What? Who and What? • Who](https://reader034.vdocument.in/reader034/viewer/2022042912/5f47f919be87ee4a194ae7c6/html5/thumbnails/4.jpg)
ImperativeImperative for an InternalInternal Security yCompetency
![Page 5: Building an Organizational Application SecurityApplication ......trained in securitytrained in security – PCI being the most specific 6. Who andWho and What? Who and What? • Who](https://reader034.vdocument.in/reader034/viewer/2022042912/5f47f919be87ee4a194ae7c6/html5/thumbnails/5.jpg)
Application Security Competency
• You Can’t Bolt It On – You’re Going to Have To Build It InBuild It In
• State of the Industry
4
![Page 6: Building an Organizational Application SecurityApplication ......trained in securitytrained in security – PCI being the most specific 6. Who andWho and What? Who and What? • Who](https://reader034.vdocument.in/reader034/viewer/2022042912/5f47f919be87ee4a194ae7c6/html5/thumbnails/6.jpg)
You Can’t Bolt It On
• Security must be incorporated into theincorporated into the lifecycle
• Too expensive to fullyToo expensive to fully outsource
• Must develop someMust develop some degree of internal competency
5
![Page 7: Building an Organizational Application SecurityApplication ......trained in securitytrained in security – PCI being the most specific 6. Who andWho and What? Who and What? • Who](https://reader034.vdocument.in/reader034/viewer/2022042912/5f47f919be87ee4a194ae7c6/html5/thumbnails/7.jpg)
State of the Industry
• Computer Science programs typically do not address security issuesaddress security issues
• Compliance regimes require developers to be trained in securitytrained in security– PCI being the most specific
6
![Page 8: Building an Organizational Application SecurityApplication ......trained in securitytrained in security – PCI being the most specific 6. Who andWho and What? Who and What? • Who](https://reader034.vdocument.in/reader034/viewer/2022042912/5f47f919be87ee4a194ae7c6/html5/thumbnails/8.jpg)
Who andWho and What?
![Page 9: Building an Organizational Application SecurityApplication ......trained in securitytrained in security – PCI being the most specific 6. Who andWho and What? Who and What? • Who](https://reader034.vdocument.in/reader034/viewer/2022042912/5f47f919be87ee4a194ae7c6/html5/thumbnails/9.jpg)
Who and What?
• Who needs to learn about application security?
• What do they need to know?
8
![Page 10: Building an Organizational Application SecurityApplication ......trained in securitytrained in security – PCI being the most specific 6. Who andWho and What? Who and What? • Who](https://reader034.vdocument.in/reader034/viewer/2022042912/5f47f919be87ee4a194ae7c6/html5/thumbnails/10.jpg)
Who
• Executives
• Software Developers
• Quality Assurance
• Information Security
• IT Audit• IT Audit
9
![Page 11: Building an Organizational Application SecurityApplication ......trained in securitytrained in security – PCI being the most specific 6. Who andWho and What? Who and What? • Who](https://reader034.vdocument.in/reader034/viewer/2022042912/5f47f919be87ee4a194ae7c6/html5/thumbnails/11.jpg)
Executives
• Business impact
• Compliance implications
10
![Page 12: Building an Organizational Application SecurityApplication ......trained in securitytrained in security – PCI being the most specific 6. Who andWho and What? Who and What? • Who](https://reader034.vdocument.in/reader034/viewer/2022042912/5f47f919be87ee4a194ae7c6/html5/thumbnails/12.jpg)
Software Developers
• General background
• Security concepts
• Specific code and tool examples
11
![Page 13: Building an Organizational Application SecurityApplication ......trained in securitytrained in security – PCI being the most specific 6. Who andWho and What? Who and What? • Who](https://reader034.vdocument.in/reader034/viewer/2022042912/5f47f919be87ee4a194ae7c6/html5/thumbnails/13.jpg)
Quality Assurance
• Already good at breaking thingsbreaking things
• Incorporate negative testing into theirtesting into their practices
12
![Page 14: Building an Organizational Application SecurityApplication ......trained in securitytrained in security – PCI being the most specific 6. Who andWho and What? Who and What? • Who](https://reader034.vdocument.in/reader034/viewer/2022042912/5f47f919be87ee4a194ae7c6/html5/thumbnails/14.jpg)
Information Security
• Often do not have modern softwaremodern software development backgrounds
• Threat modeling and other architectural
happroaches
13
![Page 15: Building an Organizational Application SecurityApplication ......trained in securitytrained in security – PCI being the most specific 6. Who andWho and What? Who and What? • Who](https://reader034.vdocument.in/reader034/viewer/2022042912/5f47f919be87ee4a194ae7c6/html5/thumbnails/15.jpg)
IT Audit
• Often lacking modern software developmentsoftware development experience
• How to link auditHow to link audit requirements to recommended
ti iti d lt ?activities and results?
14
![Page 16: Building an Organizational Application SecurityApplication ......trained in securitytrained in security – PCI being the most specific 6. Who andWho and What? Who and What? • Who](https://reader034.vdocument.in/reader034/viewer/2022042912/5f47f919be87ee4a194ae7c6/html5/thumbnails/16.jpg)
Mapping Curriculum to Roles
Business Case
Introduction Threat Modeling
Application Testing
Secure Coding
Executives CRITICAL IMPORTANT USEFUL
Software Development
IMPORTANT IMPORTANT IMPORTANT CRITICAL
Quality IMPORTANT IMPORTANT CRITICALQualityAssurance
IMPORTANT IMPORTANT CRITICAL
InformationSecurity
IMPORTANT IMPORTANT IMPORTANT IMPORTANT
IT A dit IMPORTANT IMPORTANT IMPORTANT USEFULIT Audit IMPORTANT IMPORTANT IMPORTANT USEFUL
15
![Page 17: Building an Organizational Application SecurityApplication ......trained in securitytrained in security – PCI being the most specific 6. Who andWho and What? Who and What? • Who](https://reader034.vdocument.in/reader034/viewer/2022042912/5f47f919be87ee4a194ae7c6/html5/thumbnails/17.jpg)
TrainingTraining Options
![Page 18: Building an Organizational Application SecurityApplication ......trained in securitytrained in security – PCI being the most specific 6. Who andWho and What? Who and What? • Who](https://reader034.vdocument.in/reader034/viewer/2022042912/5f47f919be87ee4a194ae7c6/html5/thumbnails/18.jpg)
Training Options
• Background Materials
• Instructor-Led– Informal Seminars – “Lunch and Learn”
Cl T i i– Classroom Training
• eLearning
17
![Page 19: Building an Organizational Application SecurityApplication ......trained in securitytrained in security – PCI being the most specific 6. Who andWho and What? Who and What? • Who](https://reader034.vdocument.in/reader034/viewer/2022042912/5f47f919be87ee4a194ae7c6/html5/thumbnails/19.jpg)
Background Materials
• Create an environment whereenvironment where the curious can access the i f ti th dinformation they need
• OWASP: www.owasp.org
• WASC: bwww.webappsec.org
18
![Page 20: Building an Organizational Application SecurityApplication ......trained in securitytrained in security – PCI being the most specific 6. Who andWho and What? Who and What? • Who](https://reader034.vdocument.in/reader034/viewer/2022042912/5f47f919be87ee4a194ae7c6/html5/thumbnails/20.jpg)
Informal Seminars
• Internal presentations to target audiencesto target audiences
• “Lunch and Learn”
• Pros– Inexpensive
– Great starting point
• Cons– Often ad hoc
– Not comprehensiveNot comprehensive
19
![Page 21: Building an Organizational Application SecurityApplication ......trained in securitytrained in security – PCI being the most specific 6. Who andWho and What? Who and What? • Who](https://reader034.vdocument.in/reader034/viewer/2022042912/5f47f919be87ee4a194ae7c6/html5/thumbnails/21.jpg)
Classroom Training
• Formal classroom instructioninstruction
• ProsC b h d– Can be hands-on
– Interaction with instructor is invaluableinstructor is invaluable
• ConsE i d ti– Expensive and time-consuming
– AttritionAttrition
20
![Page 22: Building an Organizational Application SecurityApplication ......trained in securitytrained in security – PCI being the most specific 6. Who andWho and What? Who and What? • Who](https://reader034.vdocument.in/reader034/viewer/2022042912/5f47f919be87ee4a194ae7c6/html5/thumbnails/22.jpg)
eLearning
• Self-paced, delivered electronicallyelectronically
• ProsL i ti– Logistics are easy
– Can be done as-neededneeded
• ConsN i t ti ith– No interaction with instructors
21
![Page 23: Building an Organizational Application SecurityApplication ......trained in securitytrained in security – PCI being the most specific 6. Who andWho and What? Who and What? • Who](https://reader034.vdocument.in/reader034/viewer/2022042912/5f47f919be87ee4a194ae7c6/html5/thumbnails/23.jpg)
Putting ItPutting It Together
![Page 24: Building an Organizational Application SecurityApplication ......trained in securitytrained in security – PCI being the most specific 6. Who andWho and What? Who and What? • Who](https://reader034.vdocument.in/reader034/viewer/2022042912/5f47f919be87ee4a194ae7c6/html5/thumbnails/24.jpg)
Approach
• Understand your requirements
• Set the stage
• Train
• Maintain
• Report• Report
23
![Page 25: Building an Organizational Application SecurityApplication ......trained in securitytrained in security – PCI being the most specific 6. Who andWho and What? Who and What? • Who](https://reader034.vdocument.in/reader034/viewer/2022042912/5f47f919be87ee4a194ae7c6/html5/thumbnails/25.jpg)
Requirements
• Understand business goals and compliance requirementsrequirements
• Enumerate software development groups and methodologiesmethodologies
24
![Page 26: Building an Organizational Application SecurityApplication ......trained in securitytrained in security – PCI being the most specific 6. Who andWho and What? Who and What? • Who](https://reader034.vdocument.in/reader034/viewer/2022042912/5f47f919be87ee4a194ae7c6/html5/thumbnails/26.jpg)
Set the Stage
• Goal is to create a security-conscious cultureM k i t h i– Makes maintenance much easier
• Provide background materials and informal trainingtraining– Seminars/Lunch and Learns
– Use this to identify mavensUse this to identify mavens
25
![Page 27: Building an Organizational Application SecurityApplication ......trained in securitytrained in security – PCI being the most specific 6. Who andWho and What? Who and What? • Who](https://reader034.vdocument.in/reader034/viewer/2022042912/5f47f919be87ee4a194ae7c6/html5/thumbnails/27.jpg)
Mavens
• Highly-connected peoplepeople– The Tipping Point:
Malcolm Gladwell
• Cultural leaders for development groupsp g p
• “Go-to” individuals, interested in securityy
26
![Page 28: Building an Organizational Application SecurityApplication ......trained in securitytrained in security – PCI being the most specific 6. Who andWho and What? Who and What? • Who](https://reader034.vdocument.in/reader034/viewer/2022042912/5f47f919be87ee4a194ae7c6/html5/thumbnails/28.jpg)
Educate
• Instructor-Led TrainingTraining– Mavens
Architects and Team– Architects and Team Leads
• eLearningeLearning– All relevant parties
Tailored curriculum to– Tailored curriculum to role
27
![Page 29: Building an Organizational Application SecurityApplication ......trained in securitytrained in security – PCI being the most specific 6. Who andWho and What? Who and What? • Who](https://reader034.vdocument.in/reader034/viewer/2022042912/5f47f919be87ee4a194ae7c6/html5/thumbnails/29.jpg)
Maintain
• Not a one-time activityactivity
• Incrementally build a sustaining culturesustaining culture
• eLearning is invaluable hereinvaluable here
• Training is not enough – must beenough must be linked to doing
28
![Page 30: Building an Organizational Application SecurityApplication ......trained in securitytrained in security – PCI being the most specific 6. Who andWho and What? Who and What? • Who](https://reader034.vdocument.in/reader034/viewer/2022042912/5f47f919be87ee4a194ae7c6/html5/thumbnails/30.jpg)
Report
• Track activity:Wh t i d– Who was trained
– Training materials
• Proactive reporting helps with compliance
29
![Page 31: Building an Organizational Application SecurityApplication ......trained in securitytrained in security – PCI being the most specific 6. Who andWho and What? Who and What? • Who](https://reader034.vdocument.in/reader034/viewer/2022042912/5f47f919be87ee4a194ae7c6/html5/thumbnails/31.jpg)
BestBest Practices
![Page 32: Building an Organizational Application SecurityApplication ......trained in securitytrained in security – PCI being the most specific 6. Who andWho and What? Who and What? • Who](https://reader034.vdocument.in/reader034/viewer/2022042912/5f47f919be87ee4a194ae7c6/html5/thumbnails/32.jpg)
Curriculum Best Practices
• Language-specific materials are key
• Link to tools used in your organization
• Provide guidance on what is and is not acceptable
31
![Page 33: Building an Organizational Application SecurityApplication ......trained in securitytrained in security – PCI being the most specific 6. Who andWho and What? Who and What? • Who](https://reader034.vdocument.in/reader034/viewer/2022042912/5f47f919be87ee4a194ae7c6/html5/thumbnails/33.jpg)
Delivery Best Practices
• Demonstrate executive commitment
• Track success stories and use them to drive the culture
32
![Page 34: Building an Organizational Application SecurityApplication ......trained in securitytrained in security – PCI being the most specific 6. Who andWho and What? Who and What? • Who](https://reader034.vdocument.in/reader034/viewer/2022042912/5f47f919be87ee4a194ae7c6/html5/thumbnails/34.jpg)
Apply
• Send free materials provided by OWASP and WASC to developersWASC to developers
• Run a series of informal seminars to provide background information on application securitybackground information on application security
• Identify one person on each development team to act as the application security mavento act as the application security maven
• Run one or more instructor-led training classes for key development stafffor key development staff
• Provide eLearning to all development staff
33
![Page 35: Building an Organizational Application SecurityApplication ......trained in securitytrained in security – PCI being the most specific 6. Who andWho and What? Who and What? • Who](https://reader034.vdocument.in/reader034/viewer/2022042912/5f47f919be87ee4a194ae7c6/html5/thumbnails/35.jpg)
Questions
Dan Cornell
Email: [email protected]
Twitter: @danielcornell
Web: www.denimgroup.com
Blog: denimgroup typepad comBlog: denimgroup.typepad.com
Facebook: www.denimgroup.com/facebook
Phone: (210) 572-4400
34
![Page 36: Building an Organizational Application SecurityApplication ......trained in securitytrained in security – PCI being the most specific 6. Who andWho and What? Who and What? • Who](https://reader034.vdocument.in/reader034/viewer/2022042912/5f47f919be87ee4a194ae7c6/html5/thumbnails/36.jpg)
Reference Materials
• OWASP Top 10htt // /i d h /OWASP T T P j t– http://www.owasp.org/index.php/OWASP_Top_Ten_Project
• OWASP Education Projecthtt // /i d h /C t OWASP Ed ti P j t– http://www.owasp.org/index.php/Category:OWASP_Education_Project
• OWASP University Membership// / /– https://www.owasp.org/index.php/Membership
35